On Sat, Mar 08, 2014 at 05:40:17PM +0100, Thomas Bächler wrote:
If validpgpkeys is set in the PKGBUILD, signature checking fails if the fingerprint of the key used to create the signature is not listed in the array.
The key's trust value is ignored. --- doc/PKGBUILD.5.txt | 7 +++++++ scripts/makepkg.sh.in | 16 ++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt index 50d8347..7a1e924 100644 --- a/doc/PKGBUILD.5.txt +++ b/doc/PKGBUILD.5.txt @@ -128,6 +128,13 @@ Files in the source array with extensions `.sig`, `.sign` or, `.asc` are recognized by makepkg as PGP signatures and will be automatically used to verify the integrity of the corresponding source file.
+*validpgpkeys (array)*:: + An array of PGP fingerprints. If this array is non-empty, makepkg will + only accept signatures from the keys listed here and will ignore the + trust values from the keyring. ++ +Fingerprints must be uppercase and must not contain whitespace characters. + *noextract (array)*:: An array of file names corresponding to those from the source array. Files listed here will not be extracted with the rest of the source files. This diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 015bdd7..6eb6d11 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1244,6 +1244,15 @@ check_checksums() { fi }
+is_valid_pgpkey() { + local pubkey + + pubkey=$(grep VALIDSIG "$statusfile" | sed -nr 's/.* VALIDSIG ([A-Z0-9]*) .*/\1/p;')
I think you just want: pubkey=$(sed -n '/VALIDSIG/ s/.* VALIDSIG \([[:alnum:]]*\) .*/\1/p' "$statusfile") sed's -r flag isn't portable.
+ echo "$pubkey"
Don't you only want to echo this if the check that follows succeeds?
+ in_array "$pubkey" ${validpgpkeys[@]}
The array needs quoting.
+ return $?
Wholly redundant for this function in its current form.
+} + check_pgpsigs() { (( SKIPPGPCHECK )) && return 0 ! source_has_signatures && return 0 @@ -1303,9 +1312,12 @@ check_pgpsigs() { if grep -q "REVKEYSIG" "$statusfile"; then printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2 errors=1 - elif grep -q -e "TRUST_UNDEFINED" -e "TRUST_NEVER" "$statusfile"; then + elif (( ${#validpgpkeys[@]} == 0 )) && grep -q -e "TRUST_UNDEFINED" -e "TRUST_NEVER" "$statusfile"; then printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key is not trusted")" >&2 errors=1 + elif (( ${#validpgpkeys[@]} > 0 )) && ! pubkey=$(is_valid_pgpkey "$statusfile"); then + printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid key")" + errors=1
Is there a decent way to extract the real status from the file once and then do string comparisons in bash, rather than forking to grep all the time?
else printf '%s' "$(gettext "Passed")" >&2 if grep -q "EXPSIG" "$statusfile"; then @@ -2810,7 +2822,7 @@ fi
unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides unset md5sums replaces depends conflicts backup source install changelog build -unset makedepends optdepends options noextract +unset makedepends optdepends options noextract validpgpkeys
BUILDFILE=${BUILDFILE:-$BUILDSCRIPT} if [[ ! -f $BUILDFILE ]]; then -- 1.9.0